P
US9154459B2ActiveUtilityPatentIndex 51

Access control manager

Assignee: MALWAREBYTES CORPPriority: Sep 25, 2013Filed: Sep 25, 2013Granted: Oct 6, 2015
Est. expirySep 25, 2033(~7.2 yrs left)· nominal 20-yr term from priority
Inventors:SWANSON DOUGLAS STUARTYOUNG DANIELMOORE JOHN
H04L 63/0263H04L 63/0236H04L 63/0227H04L 63/101
51
PatentIndex Score
1
Cited by
4
References
10
Claims

Abstract

A network access manager controls access to a network interface according to a set of access control instructions specifying permissible and impermissible addresses and domains on a network. The network access manager establishes a graylist of addresses based on a domain request that is associated with a whitelisted domain that is accessed via a blacklisted address. When a request to establish a connection is received directed to a graylisted address, the connection is permitted to establish and the connection is added to a session graylist. When a session data transfer packet is received, if the session corresponds to a session on the session graylist, the session data transfer packet is examined to determine if it matches a whitelisted domain, in which case the session is associated with a session whitelist and permitted access to the network. The access control instructions may be automatically updated from a trusted access control management system.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method for domain-based network access management in a computer, comprising:
 receiving a session data transfer packet specifying a network address; 
 determining whether the network address corresponds to a session on a session graylist, the graylist indicating sessions that are associated with an network address that is not permitted access and at least one domain that is permitted access; 
 determining a domain associated with the session data transfer packet; 
 determining whether the domain is a permissible domain; 
 responsive to determining that the network address corresponds to a session on the session graylist and the domain is a permissible domain, associating the session with a session whitelist and permitting the session data transfer packet access to a network interface; 
 receiving an initiate session packet specifying a session address; 
 determining whether the session address matches an address in an address graylist, the address graylist indicating a set of addresses that are selectively permitted access to the network interface; 
 responsive to determining that the session address matches an address in the address graylist, permitting the initiate session packet access to the network interface and adding the session to the session graylist; 
 receiving, from a requester, a domain resolution request packet specifying a resolution domain and permitting the domain resolution request packet access to the network interface; 
 receiving a domain resolution response from the network interface specifying a domain network address; 
 determining whether the resolution domain is a permissible domain and whether the network address is a permissible address; and 
 responsive to determining that the domain is a permissible domain and the network address is not a permissible address, adding the network address to the address graylist. 
 
     
     
       2. The method of  claim 1 , further comprising, responsive to determining that the network address does not correspond to a permissible domain, associating the session with a session blacklist and preventing the session data transfer packet access to the network interface. 
     
     
       3. The method of  claim 1 , further comprising
 receiving a second session data transfer packet specifying the network address; 
 determining that the second session data transfer packet corresponds to the session on the session whitelist without determining a domain associated with the second data transfer request; and 
 permitting the second session data transfer packet access to the network interface. 
 
     
     
       4. The method of  claim 1 , wherein the network address is stored in a header of the session data transfer packet. 
     
     
       5. The method of  claim 1 , wherein the domain is determined from a payload of the session data transfer packet. 
     
     
       6. A computer system comprising:
 a network interface configured for accessing a network; and 
 a processor configured to
 receive a session data transfer packet specifying a network address; 
 determine whether the network address corresponds to a session on a session graylist, the graylist indicating sessions that are associated with an network address that is not permitted access and at least one domain that is permitted access; 
 determine a domain associated with the session data transfer packet; 
 determine whether the domain is a permissible domain; 
 responsive to determining that the network address corresponds to a session on the session graylist and the domain is a permissible domain, associate the session with a session whitelist and permit the session data transfer packet access to the network interface; 
 receive an initiate session packet specifying a session address; 
 determine whether the session address matches an address in an address graylist, the address graylist indicating a set of addresses that are selectively permitted access to the network interface; 
 responsive to determining that the session address matches an address in the address graylist, permit the initiate session packet access to the network interface and add the session to the session graylist; 
 receive, from a requesting application, a domain resolution request packet specifying a resolution domain and permit the domain resolution request packet access to the network interface; 
 receive a domain resolution response from the network interface specifying a domain network address; 
 determine whether the resolution domain is a permissible domain and whether the network address is a permissible address; and 
 responsive to determining that the domain is a permissible domain and the network address is not a permissible address, add the network address to the address graylist. 
 
 
     
     
       7. The system of  claim 6 , wherein the processor is further configured to, responsive to determining that the network address does not correspond to a permissible domain, associate the session with a session blacklist and prevent the session data transfer packet access to the network interface. 
     
     
       8. The system of  claim 6 , wherein the processor is further configured to
 receive a second session data transfer packet specifying the network address; 
 determine that the second session data transfer packet corresponds to the session on the session whitelist without determining a domain associated with the second data transfer request; and 
 permit the second session data transfer packet access to the network interface. 
 
     
     
       9. The method of  claim 6 , wherein the network address is stored in a header of the session data transfer packet. 
     
     
       10. The method of  claim 6 , wherein the domain is determined from a payload of the session data transfer packet.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.